EDRPrison leverages a legitimate WFP callout driver, WinDivert, to effectively silence EDR systems. Drawing inspiration from tools like Shutter, FireBlock, and EDRSilencer, this project focuses on network-based evasion techniques.
Unlike its predecessors, EDRPrison installs and loads an external legitimate WFP callout driver instead of relying solely on the built-in WFP.
Additionally, it blocks outbound traffic from EDR processes by dynamically adding runtime filters without directly interacting with the EDR processes or their executables.
In summary, EDRPrison has the following key features and capabilities
Please refer to the article for more technical.
Elevated privileges are required to run EDRPrison successfully. EDRPrison comprises the following three components:
EDRPrison offers several enhancements and improvements over its predecessors, making it a more robust and stealthy tool for network-based EDR evasion:
Due to the resources available to me, I have tested EDRPrison against Elastic Endpoint and Microsoft Defender for Endpoint (MDE) on my physical server so far.
Relevant processes for Elastic Endpoint and MDE are hardcoded in the source code. During the tests, neither the main program nor WinDivert was detected by the security systems.
I tested a few common malware samples, such as Mimikatz. These samples can still be detected because, even without internet connectivity, EDR systems retain basic detection capabilities such as hash-based signatures.
After executing the malware, the number of packets increased, indicating that they contained alert data.
For more information click here.
Introduction Google Dorking is a technique where advanced search operators are used to uncover information…
Introduction In cybersecurity and IT operations, logging fundamentals form the backbone of monitoring, forensics, and…
What is Networking? Networking brings together devices like computers, servers, routers, and switches so they…
Introduction In the world of Open Source Intelligence (OSINT), anonymity and operational security (OPSEC) are…
Introduction As cyber threats grow more sophisticated, organizations need more than just firewalls and antivirus…
Introduction When it comes to cybersecurity and ethical hacking, one of the most effective ways…